Received: by 2002:a89:2c3:0:b0:1ed:23cc:44d1 with SMTP id d3csp1099143lqs; Wed, 6 Mar 2024 06:24:41 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCWLyQroOZsoNAuhXvnM665svR4IqI4P2b5Rm0DciN+JZUDYQ/ln2yvpOLHq7da5oLWECdXmRNuKNnzirE5kZsQi9OpXMa1rbPvUGpDO+g== X-Google-Smtp-Source: AGHT+IGbefLDWaq/wFmkdZBjAGQfr+Ta7sMKA3SXVa1BwUcteZjX3Fxl3aYpXMW3w6cwm88RXWvy X-Received: by 2002:a17:90b:46c8:b0:29b:1f62:6a3a with SMTP id jx8-20020a17090b46c800b0029b1f626a3amr13373919pjb.29.1709735081228; Wed, 06 Mar 2024 06:24:41 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1709735081; cv=pass; d=google.com; s=arc-20160816; b=BRF7tifehrz5k5ntchbdAETmAyiZFAJYz9QcYJGzltmQtrwHIw6mHUSz11Sf8Ieflv Ditx7hMR1dETTtcvzegVTiOPF0o8fno++PixU1BoaGe7kCAQPoZ4eEkSZkJZuMKoehz1 cB0CgDBmUboNVoDwyhRfkB0cAILJFXjhdu3a6Vyvrqboi60govwgtq6v//z5D+PGD9RC tuPAxc6xEq8NYmUNncvOgNix4UJaELFgHcgJzVBNQmicd6u+eIiKvQlpgoRtO5QmkQAf +2JgwK8S63w2qp86gbUbPg200k2ax5VTeaKa3Ve8D4dG52R+fMMH6rE6YWfFLxAZcYe1 7tow== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:cc:to :from; bh=eJFIFpWoMpkLdNAYtHQ6tl0qEnWTumiHChPslRKMi34=; fh=MMj6z9WOn0812F9wzApu6YT1/0U+zl3/qFDBSwee+aU=; b=DOOhmnF4Akc2ZUGADR1zdgM7kpnJthjw44PTGiPeyOQsoszpwRRs3wo9YOe3En5bhu QCw9Pv2k6IiI5eBb6aaRNN+Tu1eIAVYEQtJb9RUHDtA7BCb05idYxToCPUV4/2Xjqiln 8zUeAU003WCIZ+6QLgOW5y9UXN0HOUNB6yS9hl1JqP4qzOn4YQmpK1B6Ac2vajTvFSgj dcf2m5u1rIYe7KzriCF8z1HfRFthD+TtN4WE2ul0zrJDWes2gk6s42Vr3XB2lT2K/t56 E4+jA00djFMpNGvVcoEBvfuRuOg2a7537Xe+W/x2xQYJTlwK3ph2gFTyIqknEZSIxAr2 J0/g==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=c0d3.blue); spf=pass (google.com: domain of linux-kernel+bounces-94039-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-94039-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id f6-20020a17090ace0600b0029b28bf9214si9172849pju.25.2024.03.06.06.24.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Mar 2024 06:24:41 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-94039-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=c0d3.blue); spf=pass (google.com: domain of linux-kernel+bounces-94039-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-94039-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id E1556284938 for ; Wed, 6 Mar 2024 14:24:40 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 47168134403; Wed, 6 Mar 2024 14:24:09 +0000 (UTC) Received: from mail.aperture-lab.de (mail.aperture-lab.de [116.203.183.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A662F130ACE; Wed, 6 Mar 2024 14:24:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=116.203.183.178 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709735048; cv=none; b=Guk2MgXcmU7ZtFHIJTQ/mWqjyYbSEzXY3Uh0N5UVSn7Fc1m7f4pIFa0l5s7TbLFIrjdypI7AuzIFcPZfuZ5vXHobwkqJfZ2w6GiJqKYuX1BoHy7OfrlD1uINMUXhcG9du4LKdj5cTAf+MB+bfW+XQtE3oBl8A8JFOh6K/i4vNxA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709735048; c=relaxed/simple; bh=qJ4gjt253xxum5utg91XBCGmUOduxiyObpAmLwXzzHw=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type; b=BTrZxFeRlaLEvdly3bgBGFv20KFzYmVNF/w90hdQ7PZnZFOp65brtGc8hxfngHEaq3tV3fqwkrJScmk0xaZtkzQj0vwLfu8RaHo//cXXe8gddJIF/mNI/kMwmMrvYPVbS1s0C6toNl9E5H6O7jLCbuWt74+PYskbX7sfDcYz4TE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=c0d3.blue; spf=pass smtp.mailfrom=c0d3.blue; arc=none smtp.client-ip=116.203.183.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=c0d3.blue Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=c0d3.blue Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id CC7DA419A4; Wed, 6 Mar 2024 15:18:26 +0100 (CET) From: =?UTF-8?q?Linus=20L=C3=BCssing?= To: netfilter-devel@vger.kernel.org Cc: coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Pablo Neira Ayuso , Jozsef Kadlecsik , Florian Westphal , "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Dietmar Maurer , Thomas Lamprecht , Wolfgang Bumiller , Alexandre Derumier , =?UTF-8?q?Linus=20L=C3=BCssing?= Subject: [PATCH net] netfilter: conntrack: fix ct-state for ICMPv6 Multicast Router Discovery Date: Wed, 6 Mar 2024 15:18:04 +0100 Message-ID: <20240306141805.17679-1-linus.luessing@c0d3.blue> X-Mailer: git-send-email 2.42.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Last-TLS-Session-Version: TLSv1.3 So far Multicast Router Advertisements and Multicast Router Solicitations from the Multicast Router Discovery protocol (RFC4286) would be marked as INVALID for IPv6, even if they are in fact intact and adhering to RFC4286. This broke MRA reception and by that multicast reception on IPv6 multicast routers in a Proxmox managed setup, where Proxmox would install a rule like "-m conntrack --ctstate INVALID -j DROP" at the top of the FORWARD chain with br-nf-call-ip6tables enabled by default. Similar to as it's done for MLDv1, MLDv2 and IPv6 Neighbor Discovery already, fix this issue by excluding MRD from connection tracking handling as MRD always uses predefined multicast destinations for its messages, too. This changes the ct-state for ICMPv6 MRD messages from INVALID to UNTRACKED. This issue was found and fixed with the help of the mrdisc tool (https://github.com/troglobit/mrdisc). Signed-off-by: Linus Lüssing --- include/uapi/linux/icmpv6.h | 1 + net/netfilter/nf_conntrack_proto_icmpv6.c | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/include/uapi/linux/icmpv6.h b/include/uapi/linux/icmpv6.h index ecaece3af38d..4eaab89e2856 100644 --- a/include/uapi/linux/icmpv6.h +++ b/include/uapi/linux/icmpv6.h @@ -112,6 +112,7 @@ struct icmp6hdr { #define ICMPV6_MOBILE_PREFIX_ADV 147 #define ICMPV6_MRDISC_ADV 151 +#define ICMPV6_MRDISC_SOL 152 #define ICMPV6_MSG_MAX 255 diff --git a/net/netfilter/nf_conntrack_proto_icmpv6.c b/net/netfilter/nf_conntrack_proto_icmpv6.c index 1020d67600a9..327b8059025d 100644 --- a/net/netfilter/nf_conntrack_proto_icmpv6.c +++ b/net/netfilter/nf_conntrack_proto_icmpv6.c @@ -62,7 +62,9 @@ static const u_int8_t noct_valid_new[] = { [NDISC_ROUTER_ADVERTISEMENT - 130] = 1, [NDISC_NEIGHBOUR_SOLICITATION - 130] = 1, [NDISC_NEIGHBOUR_ADVERTISEMENT - 130] = 1, - [ICMPV6_MLD2_REPORT - 130] = 1 + [ICMPV6_MLD2_REPORT - 130] = 1, + [ICMPV6_MRDISC_ADV - 130] = 1, + [ICMPV6_MRDISC_SOL - 130] = 1 }; bool nf_conntrack_invert_icmpv6_tuple(struct nf_conntrack_tuple *tuple, -- 2.43.0